11 Pro Tips for OAuth 2.0 Pentesting
To build on the AI podcast based on RFC 6819 I recently posted, here are 11 specific tips for pentesters when dealing with OAuth 2.0:
1. Identify and exploit hardcoded secrets in source code
Look for client secrets directly in the application’s source code, especially in open-source projects or accidentally exposed repositories. Secrets stored in code are easy targets for attackers. [Section 4.1.1]
2. Target deployment-specific client secrets
If secrets are not deployment-specific, gaining access to one can potentially compromise multiple deployments. Attackers should look for poorly managed deployments where secrets are reused. [Section 4.1.1]
3. Locate insecure storage for refresh tokens
On native applications, refresh tokens might be improperly stored in local storage without adequate security. Attackers can exploit weak or unsecured storage to obtain long-lived tokens. [Section 4.1.2]
4. Exploit long-lived access tokens
If access tokens are not short-lived or refresh tokens are not rotated, attackers can leverage a compromised token for prolonged access. Look for implementations that do not enforce these security measures. [Section 5.1.5.3, 5.2.2.3]
5. Exploit improperly validated redirect URIs
If redirect URIs are not strictly validated against pre-registered URIs, attackers can use open redirector attacks to steal authorization codes or tokens. Manipulate the redirect URI to point to an attacker-controlled endpoint. [Section 4.1.5]
6. Bypass weak client authentication
Weak authentication methods, such as plaintext client credentials sent over the network, are vulnerable to interception. Attackers can exploit these weaknesses to impersonate clients. Look for missing encryption or non-secure transport mechanisms. [Section 4.3.3]
7. Phishing attacks on end users
Users unaware of phishing risks may not verify the authenticity of authorization requests. Attackers can create counterfeit authorization servers to harvest user credentials. [Section 4.2.1]
8. Exploit missing ‘state’ parameter for CSRF
If the ‘state’ parameter is not used or improperly implemented, attackers can execute cross-site request forgery attacks to hijack authorization flows. Look for missing state checks to exploit. [Section 3.6, 4.4.1.8]
9. Leverage clickjacking vulnerabilities
If authorization pages are allowed to be loaded in iframes, attackers can use clickjacking techniques to trick users into performing unintended actions, such as authorizing malicious requests. [Section 4.4.1.9]
10. Intercept tokens without TLS
Lack of transport layer security (TLS) makes tokens and client credentials vulnerable to interception. Attackers should target non-TLS protected endpoints to capture sensitive information. [Section 5.1.1]
11. Abuse excessive token scope and usage
Tokens with overly broad scopes or without usage limits provide attackers with greater access if compromised. Look for tokens that are granted more privileges than necessary and exploit them for broader access. [Section 5.1.5.1, 5.1.5.4]
Different prompting strategies have helped me extract these tips from the RFC. I’d encourage all offensive security professionals to dive deeper into this document because it’s a treasure trove of valuable insights, especially sections 4 and 5.
And of course, these tips should only be used in controlled environments where permission for pentesting has been granted.